Tested Versions

Product URLs

Details

When parsing a Mac Word document a single-byte value from a file is used as a
max value for a counter which is used in arithmetic operations for memory access.
No size checks are performed after the arithmetic operations resulting in an
out of bound memory access. Calculated memory address is used as a destination
operand in or byte instruction.

Although the file is identified by OIT CA SDK as FIMACWORD5, leading to it being
parsed by libvsword library, the vulnerability can be triggered by the example
parsepst application supplied with the SDK.

The vulnerability is present in function at address sub_B74A83AC, specifically
starting in the following basic block:

At [1] value in edi is a counter with upper value coming from a file being parsed.
At [2] and [3] additional arithmetic is performed with the value of the counter
as an argument. Final value of eax is calculated at [3] and at [4] is being used
as a destination operand resulting in a bit being set at the calculated address.

No bounds checking is performed and with a high upper value of the counter
out of bounds memory can be written.

While parsing the supplied testcase, out of bounds access results in a
pointer previously initialized to NULL to become non-NULL leading
to an invalid free() during the cleanup after the file has been parsed.

The byte used as an counter upper bound is located at offset 0x334 in
the supplied testcase.

In a hypothetical situation, more interesting data structures could be
located in the addresses being accessed out of bounds potentially leading to
abuse.